Originally Published: Sunday, 15 July 2001 Author: Dave Markowitz
Published to: enhance_articles_sysadmin/Sysadmin Page: 1/4 - [Printable]

Building a Server Appliance with Trustix Secure Linux and Webmin

To command by line or GUI, that is the question. Or, hey, does it really matter? Linux.com contributor Dave Markowitz says it does if we want to get Windows admins using Linux. This week Markowitz takes us through an open-source server appliance installation that is secure, powerful and controlled from the GUI.

Introduction   Page 1 of 4  >>

Windows makes the world go 'round. Well, not really, but sometimes it seems that way. Odds are, if you walk into a networked business, some form of Windows is in use. This often includes use as a server or network operating system. Windows-based networks range in size from the smallest peer-to-peer setups running a few Windows 9x boxes (and some Windows for Workgroups relics) on up to larger enterprises, encompassing thousands of machines. However, the subscription based licensing model being pushed by Microsoft along with its .NET initiative has many IT managers thinking that there has to be an alternative to continually sending money to Redmond.

Although commercial software has played a large part in the IT boom of the past decade, an awful lot of that growth has been due to open source software. Indeed, without open source, the Internet itself would exist in a far different form, if it existed at all. Many of the technologies that helped build the 'net can be used to get us away from paying the "Microsoft Tax," at least in certain circumstances.

If we are going to come up with a viable replacement for Windows as an NOS, it will need to provide the same services as Windows, and preferably more, and at a better price point. At a minimum, we'll need a platform that can provide the following services:

  • Windows file and print sharing, without having to add software to the clients
  • POP and IMAP email retrieval
  • SMTP for sending mail
  • Web proxying and DNS
  • DHCP services to minimize IP administration
  • SQL databases
  • Graphical administration tools (more on this below)
  • Remote administration tools
  • Better security than Windows NT/2000

Although many Linux/UNIX diehards disagree, many, if not most system administrators nowadays are more comfortable working with a GUI, and therefore more favorably disposed towards an OS with one. But a problem with GUIs is that when they are running, but not actually being used, they take up disk space and system resources. So the ideal OS might be one that offers a GUI, but doesn't make its use mandatory for administration: one that only runs when needed.

Such an OS doesn't appear to exist, but I found a way to satisfy these requirements by combining a couple of existing software packages.

The tendency with most NOSes is to activate all services by default. This makes it easier for the inexperienced admin to set up a server, but results in one that is wide open to attack. Since we're looking for a security improvement, I wanted an NOS which when installed activates a minimum of services automatically.

Specifically, I was looking for a Linux distribution that was designed somewhat along the lines of OpenBSD, i.e., "secure by default." Also, it should also give me flexibility as to partitioning and what software is installed.

I'll note here that OpenBSD would probably fill most of my requirements once we found a suitable GUI, but I'm more familiar with Linux, and so chose it for this project.

Several security-oriented Linux distributions have been introduced recently; EnGarde and the NSA's Security-Enhanced Linux come to mind. EnGarde even has a nice web-based GUI, but the installation process does not allow you to specify the partition structure. This put EnGarde out of the running, since specifying your partitions based on your available disk space and operating requirements is key to optimizing your server's performance. Partitioning can also have security implications. More info on EnGarde is available on their Web page, http://www.engardelinux.org/.

I also ruled out the NSA's Security-Enhanced Linux, as it still seems to be more of a research project, rather than a ready-for-primetime distro. From the SELinux FAQ:

"Security-enhanced Linux is a research prototype of the Linux(r) kernel and a number of utilities with enhanced security functionality designed simply to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement(r), Role-based Access Control, and Multi-level Security."

More information on SELinux can be found at http://www.nsa.gov/selinux/.

Introduction   Page 1 of 4  >>